BC-SNC, MIT Kerberos V, SSO, GSS-API v2

Norbert Klasen norbert+lists.mit-kerberos at burgundy.dyndns.org
Tue Sep 7 08:40:44 EDT 2004

Hello Calin,

--On Dienstag, 7. September 2004 10:04 +0200 Calin Barbat 
<c.barbat at osram.de> wrote:

> Both adapters now pass gsstest-1.26. The remaining issue is that I still
> get the following error output (in dev_w0) when trying to SNC connect to
> the server:
> N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3423]
> N        GSS-API(maj): A token was invalid
> N        GSS-API(min): Mechanism is incorrect
> N      Unable to establish the security context
> N  <<- SncProcessInput()==SNCERR_GSSAPI
> M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c
> 973]
> M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    978]
> M  in_ThErrHandle: 1
> M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1,
> level 1) [thxxhead.c   8787]
> Perhaps this is some configuration issue, perhaps it has to do with the
> interoperability between the MIT and Win2k Kerberos implementations.
> Any help or hint in the right direction would be greatly appreciated,

some hints you might want to try:
- use MIT Kerberos 1.3.x. It implements the native Windows enctype 
arcfour-hmac-md5 and supports TCP to connect to the KDC. (unlikely)
- test if you can successfully establish a GSSAPI connection between your 
Windows workstation and your Unix server with gss-client and gss-server 
(Windows versions are included in the KfW package).


More information about the Kerberos mailing list